N FOUNDATION FOUNDATION FOU NDATION FOUNDATION FOUNDATIO
IAPP Certification Foundation Study Guide
Effective March 2013
WELCOME Congratulations on taking the first step toward achieving an IAPP privacy certification. This study guide contains the basic information you need to get started: •
An explanation of the IAPP certification program structure
•
Key areas of knowledge for the Certification Foundation program
•
Recommended steps to help you prepare for your exam
•
A detailed Body of Knowledge for the Certification Foundation program
•
An exam blueprint
•
Sample questions
•
General exam information
IAPP Certification Foundation Study Guide 2
The IAPP Certification Program Structure The IAPP currently offers two certification programs: The Certified Information Privacy Professional (CIPP) and the Certified Information Privacy Manager (CIPM). The CIPP is the “what” of privacy. Earning this designation demonstrates your mastery of a principles-based framework in information privacy in a legal or practical specialization. Within the CIPP, there are five concentrations: •
U.S. private-sector privacy (CIPP/US)
•
Canadian privacy (CIPP/C)
•
European privacy (CIPP/E)
•
U.S. government privacy (CIPP/G)
•
Privacy in information technology (CIPP/IT)
The CIPM is the “how” of privacy. Earning this designation assesses your understanding of the application of common privacy practices in the daily operations of an organization. There are no concentrations within the CIPM—it crosses all jurisdictions and industries. To become certified in any of these areas, you must successfully complete the Certification Foundation examination, followed by a designation exam (either the CIPM exam or an exam in one of the five CIPP concentrations). The Certification Foundation exam assesses understanding of fundamental concepts of privacy and data protection. It covers common practice areas that are relevant to all privacy professionals regardless of legal jurisdiction, geographic location or practice specialization. You must pass both the Certification Foundation exam and a designation exam to achieve certification. Successful completion of just one exam will not result in certification being awarded. Testing for Multiple Designations
Many people choose to certify in multiple areas. Should you wish to pursue additional designations, you are not required to retake the Certification Foundation multiple times; you are only required to pass the additional designation exam to achieve another credential.
Requirements for IAPP Certification 1. You must be a current member of the IAPP prior to registering for your examination. (Information about IAPP membership, including levels, benefits and rates is available on the IAPP website at www.privacyassociation.org/membership.) 2. Successful completion of both the Certification Foundation exam and a designation exam.
IAPP Certification Foundation Study Guide 3
Certification Foundation Key Areas of Knowledge The Certification Foundation, which is a pre-requisite for all IAPP designations, covers elementary concepts of privacy and data protection from a global perspective. It is designed to provide the basis for a multi-faceted approach to privacy and data protection and to allow for the specific application of IAPP privacy certifications to build upon this foundation with minimal repetition. The four Foundation course components are: I. Common Principles and Approaches to Privacy •
Historical descriptions, definitions and classes of privacy
•
Types and elements of information
•
Privacy policies and notices and processing of personal data
•
Information risk management and information lifecycle principles
•
Modern privacy principles, including FIPs, OECD and APEC, and common themes
II. A Survey of Global Privacy Laws and Industry Practices •
Global perspectives and data protection models
•
The U.S. approach to information privacy
•
The EU Data Protection Directive
•
Data protection in Asia, Africa and the Middle East
•
Sectors of privacy law, including healthcare, financial, telecommunications, marketing, human resources
III. Information Security •
Privacy and information security in context
•
Elements of information security
•
Information security standards: ISO 27001 and ISO 27002
•
Information security threats and vulnerabilities
•
Information security management and governance
IV. Online Privacy: Using Personal Information on Websites and with Other Internet-related Technologies •
Privacy considerations for sensitive online information, including data subject access and redress, children’s online privacy, online identification methods, privacy and electronic mail, Internet searches, marketing and advertising, social media, cloud computing and mobile privacy
IAPP Certification Foundation Study Guide 4
Preparation Privacy certification is an important effort that requires advance preparation. Deciding how you will prepare for your exams is a personal choice that should include an assessment of your professional background, scope of privacy knowledge and your preferred method of learning. In general, the IAPP recommends that you plan for a minimum of 20 hours of study time in advance of your exam date; however, you might need more or fewer hours depending on your personal choices and professional experience. The IAPP recommends you prepare in the following manner: 1. Review the Body of Knowledge
The Body of Knowledge for the Certification Foundation program is a comprehensive outline of the subject matter areas covered by the Foundation exam. Review it carefully to help determine which areas merit additional focus in your preparation. See pages 6-10. 2. Review the exam blueprint
The Certification Foundation Examination Blueprint on page 11 specifies the number of items from each area of the Body of Knowledge that will appear on the exam. Studying the blueprint can help you further target your primary study needs. 3. Study the Certification Foundation textbook
Foundations of Information Privacy and Data Protection is the official reference for the Certification Foundation program. The IAPP strongly recommends you take the time to carefully read and study the textbook. 4. Get Certification Training
The IAPP offers both in-person certification prep classes and online training to help you prepare for your exams. You can find a list of scheduled classes and/or purchase downloadable online training on the IAPP website. 5. Take the Certification Foundation practice test
Practice tests are a great way to gain familiarity with the format and content of the actual designation exams. Practice tests are shorter versions of the exam, available in a downloadable PDF file containing the test itself, an answer key and an explanation of each correct answer. 6. Review other IAPP preparation resources
Additional resources are available on the IAPP website, including a searchable glossary of terms, a bibliography of recommended reading and a case study book.
IAPP Certification Foundation Study Guide 5
Certification Foundation Common Body of Knowledge Outline I. Common Principles and Approaches to Privacy
A. A Modern History of Privacy a. Descriptions, definitions and classes b. Historical and social origins B. Types of Information a. Personal information b. Non-personal information c. General and organizational i. Financial ii. Human resources iii. Operational iv. Intellectual property (IP) v. Information products and services d. Elements of personal information i. Data subjects ii. Personal data (EU) iii. Personally identifiable information (U.S.) iv. Sensitive personal information e. Processing of personal data i. Data controller ii. Data processor iii. Data protection authority (DPA) f. Privacy policy and notice i. Consent and choice 1. Opt in and opt out C. Information Risk Management a. Privacy’s impact on organizational risk i. Main drivers and challenges ii. Common processes iii. Potential outcomes b. Information lifecycle principles i. Collection ii. Use and retention iii. Disclosure iv. Management and administration v. Monitoring and enforcement c. Privacy impact assessments (PIA) D. Modern Privacy Principles a. Foundational principles i. U.S. fair information practices 1. Notice, access, choice and consent 2. Scope and limitations of use ii. The Organization of Economic Cooperation and Development (OECD) “Guidelines Governing the Protection of Privacy and Trans-border Data Flows of Personal Data” (1980) iii. The Asia Pacific Economic Cooperation (APEC) privacy principles b. Historical timeline of principles frameworks c. Common themes among principles frameworks IAPP Certification Foundation Study Guide 6
II. Jurisdictions and Industries
A. Geography: Privacy and Data Protection Regulation a. Introduction b. Global perspectives overview i. Countries with comprehensive data protection laws ii. Countries with sectoral data protection laws iii. The co-regulatory model iv. The self-regulatory model c. United States i. Federal privacy laws ii. State privacy laws d. Canada i. The Privacy Act of 1983 ii. The Personal Information Protection and Electronic Documents Act of 2000 (PIPEDA) e. Europe i. The European Union (EU) Data Protection Directive (95/46/EC) 1. Applicability 2. Core principles 3. Data processing 4. Data transfers a. “Adequacy” b. Binding corporate rules (BCRS) c. Model Contracts ii. The EU ePrivacy Directive (2002/58/EC) iii. The Article 29 Working Party iv. Employment data v. EU – U.S. Safe Harbor Principles 1. Program components 2. Privacy principles 3. Compliance and enforcement f. Japan i. Laws concerning the protection of personal information ii. Data transfer requirements g. Australia i. The Privacy Act of 2001 h. Latin America i. “Habeas data” i. India j. Other Countries B.
Sectors of Privacy Law a. Introduction b. Healthcare c. Financial d. Telecommunications e. Online Privacy f. Government g. Marketing h. Energy i. Human Resources j. Other IAPP Certification Foundation Study Guide 7
III. Information Security: Safeguarding Personal Information
A. Introduction to Information Security a. Privacy and information security in context i. Definitions ii. Confidentiality, integrity and availability iii. Common issues and challenges 1. Privacy vs. security b. Elements of information security i. Information security needs ii. Information security key principles 1. Segregation of duties 2. Access privileges 3. Least privilege c. Information security standards i. ISO 27001 ii. ISO 27002 1. Security clauses d. Information security threats and vulnerabilities i. Determining risk ii. Threat agents and origins iii. Security risks and vulnerabilities iv. Malware v. Phishing vi. Social engineering B. Information Security Management a. Building an information security framework i. Process components ii. Industry standards iii. Organizational policy b. Information security compliance i. Legal requirements c. Common information security controls i. Access control policy and responsibility ii. Access control types 1. Preventative 2. Detective 3. Corrective iii. Access control placement 1. Network 2. Operating system 3. Application layer 4. Mobile computing and teleworking iv. Cryptography 1. General concepts of shared and public key cryptography a. Public key infrastructure (PKI) 2. Encryption 3. Decryption 4. Non-repudiation 5. Other uses a. Digital signatures b. Certifications
IAPP Certification Foundation Study Guide 8
v. Identity and access management (IAM) 1. Authentication 2. Authorization vi. Other controls 1. Networks a. Firewalls b. Intrusion detection systems (IDS) c. Intrusion prevention systems (IPS) d. Data loss and data leakage protection 2. Financial transactions a. Payment Card Industry (PCI) Data Security Standard (DSS) d. Information security governance i. Internal to organization ii. External parties iii. Asset management 1. Inventory of assets 2. Information classification iv. Human resources security 1. Pre-employment 2. Change of employment v. Physical and environmental security 1. Securing facilities 2. Equipment safety vi. Communications and operations management 1. Management of third-party service delivery 2. System monitoring a. System and end user 3. Back-up media a. Handling b. Transfer of information 4. Online security and monitoring vii. Incident management 1. Reporting events and weaknesses 2. Managing incidents and improvements 3. Business continuity viii. The information security program 1. The information security management system (ISMS) 2. Program improvement 3. Management review 4. Program assessments a. Internal audits b. External/third-party audits ix. Vendor management 1. Due diligence and qualification 2. Contract management
IAPP Certification Foundation Study Guide 9
IV. Online Privacy: Using Personal Information on Websites and with Other Internet-related Technologies
A. The Web as a Platform a. Standard Web protocols i. Internet protocol (IP) ii. Hypertext transfer protocol (HTTP) iii. Hypertext transfer protocol – secure (HTTPS) iv. Internet proxies and caches v. Web server logs vi. Transport layer security (TLS) vii. Secure sockets layer (SSL) B. Privacy Considerations for Sensitive Online Information a. Threats to online privacy i. Cross-site scripting (XSS) b. Online privacy notices and methods for communication i. Website privacy statement 1. Location at/link from all points of data collection 2. Sample language ii. Layered notice c. Data subject access and redress d. Online security e. Website user authentication f. Children’s online privacy g. Active versus passive data collection i. Web forms h. Online identification mechanisms i. Cookies 1. First-party and third-party 2. Common use cases 3. Industry best practices ii. Web beacons i. Privacy and electronic mail i. Commercial e-mail 1. Best practices and standards for privacy protection 2. Unsolicited commercial e-mail (“spam”) j. Internet searches k. Online marketing and advertising i. Search engine marketing (SEM) ii. Online behavioral marketing (OBM) l. Online social media i. Social networking services ii. Instant messaging m. Online assurance i. Trust seal and dispute resolution programs ii. Self-regulatory frameworks n. Cloud computing o. Mobile online privacy i. Location data
IAPP Certification Foundation Study Guide 10
Certification Foundation Exam Format The Certification Foundation exam is a 90-minute, 90-item, objective test. The Foundation exam is composed of 90 multiple-choice items. There are no essay questions. Each correct answer is worth one point. It is important to note that Certification Foundation is not itself an IAPP certification; you must pass both the Certification Foundation and a designation exam to achieve certification.
Exam Blueprint The exam blueprint indicates the minimum and maximum number of questions included on the exam from the major areas of the body of knowledge. Questions may be asked from any of the topics listed within each area.You can use this blueprint to guide your studying.
I.
Common Principles and Approaches to Privacy
A. Modern history of privacy
B. Types of information
Max
31
35
1
3
15
21
Personal information, non-personal information, general and organizational information, elements of personal information, data processing roles, privacy policy and notice
C. Information risk management
Min
7
11
Privacy’s impact of organizational risk, information lifecycle principles, privacy impact assessments
D. Modern privacy principles
3
5
20
23
10
13
II.
Privacy by Jurisdictions and Industries
A. Jurisdictions
B. Industries
Global perspectives, Europe, United States, Canada, other jurisdictions
Information Security: Safeguarding Personal Information
A. Overview of information security
12
14
7
11
Privacy and information security in context, elements of information security, information security standards, information security threats and vulnerabilities
B. Information security management
11
Healthcare, financial, telecommunications, marketing, human resources, other industries
III.
9
3
5
20
24
Building an information security framework, information security compliance, common information security controls, information security governance
IV.
Online Privacy
A. Standard web protocols
1
3
B. Privacy considerations
20
22
Threats to online privacy, online privacy notice and methods for communication, data subject access and redress, online security, website user authentication, children’s online privacy, active vs. passive data collection, online identification mechanisms, privacy and e-mail, Internet searches, online marketing and advertising, online social media, online assurance, cloud computing, mobile online privacy IAPP Certification Foundation Study Guide 11
Sample Exam Questions 1.
What is the definition of a data controller? A. A third-party service provider that maintains the platform on which personal data is stored. B. A supervisory authority empowered to enforce privacy regulation or law. C. The individual who provides the personal data. D. An entity that holds personal data and determines the purposes of use.
2.
What must be included in a privacy impact assessment? A. A regulatory review of the assessment. B. The source code of the system processing the data. C. The attributes of data collected. D. The administrator passwords of the system being evaluated.
3.
Which standard web protocol allows for a peer’s identity to be authenticated prior to a connection being made? A. Secure Sockets Layer. B. Hypertext Transfer Protocol. C. Transmission Control Protocol. D. Internet Protocol.
4.
What is an example of passive data collection on a website? A. Single sign-on service. B. Drop-down list. C. De-selected check box. D. Web beacon.
IAPP Certification Foundation Study Guide 12
General Exam Information The IAPP offers testing at major annual conferences and at select industry conferences. Event-based testing is paper-pencil format.You may sit for the Certification Foundation and one designation exam during a single event. The IAPP also offers testing via computer-based delivery at test centers worldwide. There are approximately 600 Kryterion High-stakes Online Secured Testing (HOST) locations around the world where IAPP certification exams are administered. You can find detailed information about how to register for exams, as well as exam day instructions, on our website at www.privacyassociation.org/certification.
Questions? The IAPP recognizes that privacy certification is an important professional development effort requiring commitment and preparation. We thank you for choosing to pursue certification, and we welcome your questions and comments regarding our certification program. Please don’t hesitate to contact us at
[email protected] or +1 603.427.9200.
IAPP Certification Foundation Study Guide 13